devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
Jenkins Arbitrary File Read via Crafted CLI Command (CVE-...
CVE-2018-1999002 let attackers read arbitrary files from Jenkins masters via crafted requests to the Stapler framework, exposing secrets and credentials.
TeamCity Authentication Bypass Exploited by Nation-State ...
A critical TeamCity authentication bypass, CVE-2023-42793, let APT29 and North Korean hackers seize build servers for supply chain attacks.
TeamCity Authentication Bypass Enabling Admin Account Cre...
CVE-2024-27198 lets unauthenticated attackers bypass TeamCity login and create admin accounts, with active exploitation and ransomware activity observed.
GitLab Unauthenticated RCE via ExifTool Image Processing ...
CVE-2021-22205 let attackers gain unauthenticated RCE on self-hosted GitLab via ExifTool image parsing. Here's the affected versions, severity, timeline, and fixes.
Argo CD Path Traversal via Malicious Helm Chart values.ya...
CVE-2022-24348 let attackers use a malicious Helm chart to path-traverse Argo CD's repo-server, exposing secrets across GitOps applications. Here's the fix.
Best SLSA-compliant build systems
A fair comparison of SLSA compliant build systems—GitHub Actions, Cloud Build, GitLab, Tekton Chains—with real strengths and limitations for Build Level 3.
Best container image scanning tools
A practical comparison of container image scanning tools — Trivy, Grype, Snyk, Docker Scout, Clair, and Anchore — with real strengths, limits, and how to pick one.
Container image supply chain attack trends
Container images have become the software supply chain's most contested attack surface. A look at the xz-utils backdoor, registry-borne malware campaigns, and the detection gaps behind them.
Agentic AI Supply Chain Vulnerabilities
Agentic AI systems trust tools and models at runtime, not build time. Real 2024-2025 incidents show how MCP servers and AI packages become supply chain attack vectors.
Best SAST tools for enterprise applications
A practical buyer's guide comparing top SAST tools for enterprise apps -- strengths, limitations, and how Safeguard unifies findings across your pipeline.
Container registry credential leak trends
2026 data shows container registry credential leaks accelerating as CI pipelines speed up — and why layer-aware scanning, not just final-image checks, is now essential.
Best IAST tools for runtime application security testing
A practical, no-fluff comparison of IAST tools for runtime application security testing — evaluation criteria, honest vendor tradeoffs, and where supply chain risk still slips through.